©2020 FireEye | Private & Confidential
UMBC Malware Analysis ClassChristopher Gardner
©2020 FireEye | Private & Confidential
Chris Gardner
2
§ Based in Denver, CO§ Senior Reverse Engineer at
FireEye/Mandiant– FLARE Team
§ Graduated UMBC CMSC ‘18– Former Cyberdawg– Former TA for this class
§ I was RJ’s TA J
§ For fun– Rock Climbing, Skiing, other Colorado
things– CTFs
©2020 FireEye | Private & Confidential
Agenda
3
§ What is FLARE?§ What it’s like to be a Malware Analyst§ A look at some cool FLARE tools§ Feature Presentation: “Beating the Malware Pinata”§ Internship/job pitch§ Q&A
©2020 FireEye | Private & Confidential 4
©2020 FireEye | Private & Confidential
§ Mission– Find Evil &
Expand Wisdom
§ Vision– Discover,
Enrich, and Broker Front-Line Knowledge to Internal and External customers
FRONT LINE APPLIED RESEARCH & EXPERTISE
©2020 FireEye | Private & Confidential
Finding Evil and Expanding Wisdom –From the Front Line
6
Malware Samples
Continuous OSINT & Hunting External Data
Incident Response Engagements
Globally Deployed FireEye Products
Signatures
New Tech & Process
Investigation Support
Malware Analysis
Customer Response Support
Tools & Plugin Creation
©2020 FireEye | Private & Confidential
FLARE Customers
7
Leadership & MarketingAwareness on active adversary events, key industry events, and advise next steps. Tools, Tweets,
Challenges, Talks, Blog, etc.
ConsultingProvide intrusion support, identify high-value return areas, malware analysis, advanced red teaming,
education, and assign event attribution
Managed DefenseSupport rapid responses, attribute key events, malware analysis, and
aid adversary analysis
ProductsIdentify newly learned adversary topics to rapidly drive company
improvement, vulnerability assessments, R&D, features, etc
IntelProvide visibility into the front lines, intrusion trends, adversary activity, malware analysis, and advise on
key technical events
©2020 FireEye | Private & Confidential
FLARE
8
§ Elite team of reverse engineers and researchers§ International, remote team (~40 people)§ Reverse engineer pretty much all the malware at FireEye/Mandiant– Huge stream of interesting stuff to look at J
§ Also find bugs sometimes§ Release cool tools (open source!)§ Teach classes on Malware Analysis§ Create/implement binary similarity tools
©2020 FireEye | Private & Confidential
FLARE In the news
9
©2020 FireEye | Private & Confidential
Malware Operations§ Support the entire company in-depth RE and MA– From Incident Response for clients to Internal IT– Sample analysis, decoders, and specific questions answered– Reports contain detections, capabilities, and detailed analysis
§ Malware “Queues” – Staffed with six analysts + Queue Ops– Mandiant Consulting – Mandiant Managed Defense– Mandiant Intel – “Hot List”– Mandiant Intel Analyst Access / I3 Support – FLARE Advanced Practices
§ Mentoring Program
– Develop new analysts, define analysis process, and oversight
10
2020 YTD StatisticsAnalyzed Samples: 1452
Escalations: 48
©2020 FireEye | Private & Confidential
Offensive Task Force (OTF)§ Elite group focused on offensive support of company and customers– Vulnerability/Exploit analysis– Zero-day reporting and coordination– Custom Tool Development
§ Support the Red Team Function– Write malware for our red team– Application level assessments
§ Application Security Assessments– Internal – Work closely with Product Security to break products before others– External – Team up with Mandiant consulting on low-level assessments
§ So far in 2020– 15 Application Security Assessments for Customers, Product Security, and MD– Over 21 vulnerabilities reported across a multitude of vendors
11
©2020 FireEye | Private & Confidential
External Education
§ Offering training at conferences and client sites all over the world– Essentials of Malware Analysis (2 days)– Malware Analysis Crash Course (3 days)– Malware Analysis Master Class (5 days)– Customized Malware Analysis Course (2-10 days) – Router Backdoor Analysis Class (2 days)– MacOS Malware Analysis Crash Course (2 days)
§ Pivoted to teach 31 courses online during Covid§ Development of new offerings– New Hotness: Malware Authoring and Repurposing
12
©2020 FireEye | Private & Confidential
Applied Research
13
§ Build tools to make automated analysis better, and augment manual analysis
§ Given a malware sample– Is this similar to any other malware we know about?– Can we automatically unpack this sample?– What capabilities does this sample have?– What indicators can we automatically extract?
©2020 FireEye | Private & Confidential
What does a Malware Analyst Do?
14
§ Analyze malware, write reports– Reports are more freeform than your homework assignments– Sometimes there are special requests
§ Make signatures for malware (sometimes)§ Do other research– Better malware detection strategies– Vulnerability research– Data science
©2020 FireEye | Private & Confidential
A day in the life of a Reverse Engineer
15
§ Varies depending on what week it is§ Sometimes on the malware queue, neck deep in IDA Pro reversing cool
stuff§ Sometimes taking two weeks to write an automated unpacker§ Writing/giving conference talks§ Teaching/developing courses§ Showing my coworkers some sick shellcode
©2020 FireEye | Private & Confidential
Malware Operations Workflow – Horizon & JIRA Tickets
16
Central Repository
Feedback & Results
Automated Analysis
Basic TriageFull Analysis
Custom Questions
Request Additional
Information/ Customer
Report
©2020 FireEye | Private & Confidential
Cool things I’ve done
©2020 FireEye | Private & Confidential
Teaching!
18
©2020 FireEye | Private & Confidential
Research
19
©2020 FireEye | Private & Confidential
Special Projects
20
§ Automated parsing and decryption of malware network traffic§ Reverse engineering medical devices for ‘compliance’§ Advanced sandbox sorcery§ Continuously scan the internet for new C2 servers
©2020 FireEye | Private & Confidential
Skills needed for Malware Analysis
21
§ Writing!§ Disassembly§ Debugging/Dynamic analysis§ Windows Internals§ Programming/scripting§ More advanced stuff– Cryptanalysis– Program analysis– Emulation
©2020 FireEye | Private & Confidential
FLARE Public Tooling
22
FLARE VMWindows VM with many malware analysis tools installed
FLOSSAutomatic deobfuscation of strings (sometimes)
CapaAutomatically detecting malware capabilities
FAKENET-NGInternet simulation that actually works
flare-idaLoads of IDA Pro plugins to automate common tasks
SpeakeasyEmulator designed to execute kernel & user space binaries & shellcode
FireMLaaSMachine learning based malware classification (on VirusTotal)
And More!
©2020 FireEye | Private & Confidential
FLARE-VM
23
§ Build a Windows VM geared towards Malware Analysis§ Updated monthly§ All the tools FLARE uses on a regular basis– If we use something and it isn’t in FLARE VM, we add it
§ Free!§ Easy to install – just run a Powershell script§ Other flavors available as well– CommandoVM – red team focused toolkit
©2020 FireEye | Private & Confidential
Quick tour of FLARE VM + other non-FLARE tools
24
§ Sysinternals – procmon, autoruns, procexp, etc§ PE Tools – pestudio, CFF explorer, DIE, etc§ Lots of disassemblers/enhancers – IDA, Binary Ninja, IDR, dnSpy, jd-gui§ Hex editors: 010, HxD§ Debuggers: x64dbg, OllyDbg, WinDbg§ All the FLARE tools§ Python + helpful libs§ And so much more!
©2020 FireEye | Private & Confidential
FLOSS
25
©2020 FireEye | Private & Confidential
FLOSS – FireEye Labs Obfuscated String Solver
26
§ More than just strings§ Automatically deobfuscates strings used by the binary§ Much quicker than manually pulling them out with a debugger§ Simple (floss my_program), but tuneable§ Will also pick up regular strings and stack strings
©2020 FireEye | Private & Confidential
FLOSS internals
27
§ How does FLOSS work?§ Uses Vivisect (Python program analysis library) under the hood§ Identify possible string decoding functions§ Extract arguments for those functions§ Emulate the functions§ Look for human readable strings in the memory output
©2020 FireEye | Private & Confidential
Stack strings
28
©2020 FireEye | Private & Confidential
FAKENET-NG
29
©2020 FireEye | Private & Confidential
FAKENET-NG
30
§ Successor to Fakenet§ Replaces inetsim, ApateDNS, etc§ Super easy to set up (don’t need to run 2 VMs like inetsim)§ Makes the malware think it can access the internet§ Has handlers for a variety of protocols/services– HTTP/S, SMTP, FTP, etc
§ Can do TLS interception too!§ Everything is saved in a pcap for you to analyze later, as well as logged
to the console
©2020 FireEye | Private & Confidential
CAPA
31
§ Automatically extract some capabilities from malware§ Uses CAPA rules – sorta like YARA but with more analysis§ Can reference specific assembly instructions, constants used in code,
etc– Example: can identify if a specific constant in AES is used by the sample
§ Open source, and open source rules that anyone can contribute to:– https://github.com/fireeye/capa– https://github.com/fireeye/capa-rules
©2020 FireEye | Private & Confidential
The FLARE On Challenge32
◆Multiple binary CTFs based around reverse engineering
◆5,648 registered participants in 2020▶ 260 winners completed
▶ 3,574 completed at least one challenge, record!
◆All past challenges www.FLARE-On.com with solutions and on FireEye blog
◆Diverse puzzles
▶ Nintendo, Android, Virtualization, Steg, .NET, etc
◆Prize & Bragging Rights
◆Largest RE Competition in the World
©2020 FireEye | Private & Confidential
Sharing With The Community
§ Get our code - https://github.com/fireeye/§ Read our blog - http://www.fireeye.com/blog with tag “FLARE”§ Read our whitepapers – M-Trends, Synful Knock, WMI, etc§ Compete in our challenge – http://www.flare-on.com/§ Play with our free tools -
https://www.fireeye.com/services/freeware.html
33
©2020 FireEye | Private & Confidential
Beating the Malware Piñata
Chris Gardner
©2020 FireEye | Private & Confidential
One week on the Intel queue…
©2020 FireEye | Private & Confidential
A very productive week, until now
36
§ Perusing the intel queue, looking for my next ticket§ 0178a69c43d4c57d401bf9596299ea57, submitted by our Threat Intel team§ “Potential LOCKLOAD? Would be very interested to know if there are
links to Fallout Team”– Family names, hooray!– Has a TIS ticket attached!– Wait, 2 MB?
§ Not Go§ Not Delphi§ C++§ Uh oh!
©2020 FireEye | Private & Confidential
2 MB, 18 functions… hm…
37
©2020 FireEye | Private & Confidential
Nurse, get me 20 CCs of explorer.exe, STAT!
38
§ Malware reads shellcode from the copy of itself on disk§ Creates explorer.exe in suspended mode§ Writes shellcode to suspended process using WriteProcessMemory()§ Manually resolve functions to create an import table§ Resume thread§ ????§ Profit!
©2020 FireEye | Private & Confidential
Static way§ Lots of work§ Works every time, no need to
redo anything on later samples§ Create a Binary Ninja loader
plugin that patches in the import table
§ Cool, technical, slick
2 ways to solve
39
Dynamic way§ Moderate amount of work§ Have to redo completely each
time§ Run the process, dump
memory§ Brash, uncultured, dirty
©2020 FireEye | Private & Confidential
Static way§ Lots of work§ Works every time, no need to
redo anything on later samples§ Create a Binary Ninja loader
plugin that patches in the import table
§ Cool, technical, slick
2 ways to solve
40
Dynamic way§ Moderate amount of work§ Have to redo completely each
time§ Run the process, dump
memory§ Brash, uncultured, dirty
©2020 FireEye | Private & Confidential
Some cool shellcode
41
§ Alright! A juicy payload ripe with indicators§ Oh wait:– Generate temporary filename starting with @AE– Read malware on disk, decode some more code– Write to temporary file and execute
§ It’s just a dropper L
©2020 FireEye | Private & Confidential
WHACK!
©2020 FireEye | Private & Confidential
93D1BABAE7EAD19B4551DBFA57E858CE
43
§ Rewrites original file with a legit IBM utility§ Takes a very long time just to show an error§🤔
©2020 FireEye | Private & Confidential
280200E5C0F57EBC01662C6B9976B7D9 - @AE1.tmp.exe
44
§ Nurse! More explorer.exe!§ Here we go again§ Of course this is the last time, so let’s just do the dynamic way again J– It was at this moment that Chris sealed his fate, as this was not the last time, nor
the second to last time
©2020 FireEye | Private & Confidential 45
©2020 FireEye | Private & Confidential 46
©2020 FireEye | Private & Confidential
WHACK
©2020 FireEye | Private & Confidential
081BFF47D9069448A9AF0DACD064469E –dll_suspender.dll
48
§ Library that is loaded in memory by the second dropper§ Contains juicy persistence indicators J§ Implemented as an annoying to reverse COM object for some reason– No other obfuscation of indicators
§ Saves a copy of ws2_32.dll (Winsock) for some reason
©2020 FireEye | Private & Confidential
6cb9e6476ca972812c1c80bd68e031d1 – WdExt.exe
49
§ At last, the main dropper!– But not the final one
§ Drops 8 PEs§ Injects into explorer.exe again
©2020 FireEye | Private & Confidential
WHACK
©2020 FireEye | Private & Confidential
The libraries
51
§ Drops 6 DLLs that serve as libraries for the malware
©2020 FireEye | Private & Confidential
A break – time for some research• “Potential LOCKLOAD?
Would be very interested to know if there are links to Fallout Team”
• Quickly ruled out LOCKLOAD
• Is it Fallout team?
52
©2020 FireEye | Private & Confidential
A break – time for some research• “Potential LOCKLOAD?
Would be very interested to know if there are links to Fallout Team”
• Quickly ruled out LOCKLOAD
• Is it Fallout team?
• Google is unhelpful
53
©2020 FireEye | Private & Confidential
Fallout Exploit kit != Fallout team
54
©2020 FireEye | Private & Confidential
thank u FireEye
55
©2020 FireEye | Private & Confidential
What about those internal DLL names? Maybe someone has analyzed this before…
56
©2020 FireEye | Private & Confidential
DAAC1781C9D22F5743ADE0CB41FEAEBF –launch.exe
• One of the two EXEs dropped by the main dropper.
• Analyzed by the blog post! Yeah! J
• Injects into explorer, drops persistence, loads the libraries into explorer.exe processes
• ezpz
©2020 FireEye | Private & Confidential
75C1467042B38332D1EA0298F29FB592 – wtmps.exe
58
§ Not mentioned in the blog post at all– Have to get my hands dirty again
§ Quite different from all the other malware in this chain– Doesn’t inject into explorer, just runs everything itself
§ …but still just another dropper
©2020 FireEye | Private & Confidential
WHACK
©2020 FireEye | Private & Confidential
78D3C8705F8BAF7D34E6A6737D1CFA18 – mscaps.exe
60
§ Drops persistence J– wooo, indicators!
§ This one isn’t a dropper!§ ….it’s a launcher
©2020 FireEye | Private & Confidential
WHACK
©2020 FireEye | Private & Confidential
978888892A1ED13E94D2FCB832A2A6B5 – wtime32.dll
62
§ This is it folks§ The final payload§ The final frontier§ The only thing standing between me and the sweet sweet feeling of
closing 8 tickets in 1 minute– stats=padded
©2020 FireEye | Private & Confidential
wtime32.dll
63
§ Basic backdoor over DNS§ Has some commands§ Wait, what’s that ts command? Oh no…
©2020 FireEye | Private & Confidential
WHACK
©2020 FireEye | Private & Confidential
TWO C2 PROTOCOLS????
§ The payload also includes a more powerful custom binary protocol that it can use
§ The Kaspersky report on DarkHotel missed this J
©2020 FireEye | Private & Confidential
In the end….
66
§ 1 analyst§ 8 tickets completed§ 16 total PE files dropped§ 15 PEs analyzed§ 2 incorrect/incomplete open source reports§ 45 hours of work over 1 month§ 1 box of kleenex used
©2020 FireEye | Private & Confidential
Questions?
67
©2020 FireEye | Private & Confidential
FLARE Jobs/internships
68
§ Bit late for internships – but we are pretty much always hiring– https://www.fireeye.com/company/jobs.html
§ FLARE internships work on real, important projects with real FLARE team members– Sandbox development– Binary similarity– Automated unpacking
§ Much more out there than just FLARE, if it’s infosec FireEye probably has an internship/job for it
©2020 FireEye | Private & Confidential
Questions?
69
Top Related